Apache Log4j Unsupported Version Detection

critical Nessus Plugin ID 156032

Synopsis

A logging library running on the remote host is no longer supported.

Description

According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

Solution

Upgrade to a version of Apache Log4j that is currently supported.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions.

See Also

http://www.nessus.org/u?59f655a2

Plugin Details

Severity: Critical

ID: 156032

File Name: apache_log4j_unsupported.nasl

Version: 1.4

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 12/13/2021

Updated: 5/18/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Rationale: Tenable score for unsupported software.

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:apache:log4j

Required KB Items: installed_sw/Apache Log4j

Reference Information

IAVA: 0001-A-0650